Web lists-archives.com

Re: [Samba] [SOLVED] Samba 4: 'Access denied' error when accessing user profile during logon




Thanks for the response. I followed your instructions:

- set the "chmod 1750 /srv/samba/profiles"

- set, after logging as AD-LAN\Administrator, the permissions for \\DC\profiles :

Creator Owner: all; applied to: Subfolders and files
Administrator: all; applied to: This folder, Subfolders and files
Domain Users: Traverse folder/Execute file,List folder/Read data,Read attributes,Read extended attributes,Create files/Write data,Create folders/Append data; applied to: This folder only

Results:

1. Permissions mask:
# ls -al /srv/samba | grep profiles
drwxrwx--T+ 1 root AD-LAN\domain users   34 Sep 21 11:25 profiles

2. ACL list for [profiles]
# getfacl /srv/samba/profiles
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles
# owner: root
# group: AD-LAN\134domain\040users
# flags: --t
user::rwx
user:root:rwx
group::rwx
group:AD-LAN\134domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:mask::rwx
default:other::---

3. When logging in without local profile/roaming profile, username gets a roaming profile folder created:
# getfacl /srv/samba/profiles/username.V2
getfacl: Removing leading '/' from absolute path names
# file: srv/samba/profiles/username.V2
# owner: AD-LAN\134username
# group: AD-LAN\134domain\040users
user::rwx
user:AD-LAN\134username:rwx
user:3000000:rwx
group::---
group:AD-LAN\134domain\040users:---
group:NT\040AUTHORITY\134system:rwx
mask::rwx
other::---
default:user::rwx
default:user:AD-LAN\134username:rwx
default:user:3000000:rwx
default:group::---
default:group:AD-LAN\134domain\040users:---
default:group:NT\040AUTHORITY\134system:rwx
default:mask::rwx
default:other::---

4. The non-Administrator domain users cannot access profiles permissions, nor they can access profiles of other users.

Is the above fine from viewpoint of access rights?

Sincerely,
Konstantin

L.P.H. van Belle via samba писал 2018-09-20 16:01:
Hai,

Sorry to say but..
The solution (following the default how-to directories structure):

No, the solution is to setup correctly.
Just do a a small test here to see if its all correct.

With a windows computer, browse to \\server

Right klik the profiles share, check security.
	If this is set correct, the user should not be able to see the rights.

Repaet, now as Adminsitrator.
	You should see the needed rights.

And in my thats on  \\server\profiles
Creator Owner ( 1700 ) 	Full with Special rights ( Appy to Only
subfolders and files )
Administrator Full control ( Appy to This Folder, subfolders and files )
Domain Users 		Special with browse/exec, Read file/folder, create/add
folder  ( Only this folder )

And in my thats on  \\server\profiles\user.v2
The resulting user folders should show ( in Windows )
SYSTEM 	Full control
Username 	Full control


Which results in ( for me ) with getfacl

# file: home/samba/profiles
# owner: root
# group: root
# flags: --t
user::rwx
user:root:rwx
group::---
group:root:---
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:mask::rwx
default:other::---

#( Group 2005 is SYSTEM  )
# file: home/samba/profiles/username.V2
# owner: username
# group: domain\040users
user::rwx
user:username:rwx
group::---
group:2005:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:username:rwx
default:group::---
default:group:2005:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Now, you will probely get diffent ( more relaxed ) results, which in
the end might give problems for the Win pc's.

Set :
[profiles]
    browseable = yes
    path = /home/samba/profiles
    read only = no
    acl_xattr:ignore system acl = yes

And now apply the rights again from within windows.
And dont touch it with chmod again..
If needed use setfacl/getfacl.
If you think its complex, then read :
https://serversforhackers.com/c/beyond-permissions-linux-acls
Good explained.

The acl_xattr:ignore system acl = yes in profiles is imo a must because,
you will have much less problems with your profile folders and the
rights windows expects.


Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Konstantin Boyandin via samba
Verzonden: donderdag 20 september 2018 9:26
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] [SOLVED] Samba 4: 'Access denied' error
when accessing user profile during logon

Hello,

Looks like the solution was rather simple.

If user profile matching OS doesn't yet exist, Windows attempts to
create one under '[profiles]'. I.e., for user 'username'
Windows 7 will
attempt to create [profiledir]\username.V2

If it can't create that directory, 'Access denied' is written
to system
event log and a temporary profile is created.

The solution (following the default how-to directories structure):

# chmod g+w /srv/samba/profiles

The hint posted in

https://windowsserveressentials.com/2011/02/25/quick-fix-acces
s-denied-to-romaing-profile-windows-7/

Note: taking the above into account, I believe that corresponding
section (Using POSIX ACLs) should be updated in

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

namely, replace

# chmod 1750 /srv/samba/profiles/

with

# chmod 1770 /srv/samba/profiles/

Sincerely,
Konstantin

Konstantin Boyandin via samba ?????????? 2018-09-20 12:25:
> Hello,
>
> After joining Windows 7 to a Samba 4 (AD), when logging on I
> experience 'Access denied' error accessing user profile. As
a result,
> Windows creates temporary profile for the domain user (the
profile is
> deleted upon logoff).
>
> [...]

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba